Product
samlify's template substitution only escapes attribute contexts, leaving values inserted into element text (e.g., `<saml:AttributeValue>`) unescaped, allowing a normal user to inject XML markup into an attribute value and add new `<saml:Attribute>` elements inside the signed assertion, leading to privilege escalation when attributes are used for authorization (CVE-2026-46490).